Description of problem:
A stock install of RHEL5 and Fedora 8 (and possibly earlier versions) have /net
managed by autofs (look at /etc/auto.master).
Unfortunately, the "nosuid" mount option is not specified, meaning that any
system auto-mounted under /net may have arbitrary suid root binaries.
Version-Release number of selected component (if applicable): RHEL 5, Fedora 8,
How reproducible: Always
Steps to Reproduce:
1. set up an NFS server with an suid root binary in an exported directory.
2. log into a system running fedora 8/rhel5. Ensure autofs is running.
3. as a non-root user on the fedora8/rhel5 box, change directory to
4. run the suid root binary
The suid binary runs with the effective UID of 0, making it so the unprivileged
user now has full access to the system.
the share should have been mounted with the nosuid option, so that the
executable does no run with the effective uid of root.
changing (in /etc/auto.master):
"/net -nosuid -hosts"
Will prevent exploitation.
I have also mailed this alert to secalert ( from jhlange ).
CVE-2007-5964, see bug #410031 for top level
*** Bug 421361 has been marked as a duplicate of this bug. ***
autofs-5.0.2-20 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.